MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e23bf0753989e7fd50f30fb6b2efebd5ff22fb5b510bfef6a676aca40cef65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e23bf0753989e7fd50f30fb6b2efebd5ff22fb5b510bfef6a676aca40cef65
SHA3-384 hash: 50e05f4fc98aac62cd242e69ed715c00f76c6a9d0988170e59f9f65c237c70a8f44d83d70575cf295a333ffe2fd013e7
SHA1 hash: 45615cbce211a881a4a98e497ad8fa44177d7552
MD5 hash: b977ca57621d7e642f9b003525c22ada
humanhash: beer-fruit-aspen-oscar
File name:adobe_illustrator_2025_v29.4.0_(x64)_pre-cracked.7z
Download: download sample
Signature LummaStealer
Create hunting rule
File size:16'022'051 bytes
First seen:2025-04-10 00:25:31 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
Note:This file is a password protected archive. The password is: 8100
ssdeep 393216:2nvZ+pgg4yJoyKUekVJo+jgBB4rfT5sTn6rVf/PHEdv/hwFYXY5w:2nhCgzyJoTUjoCK4rfT5sEHQW75w
TLSH T182F6337E900FFDB13F35B9E18D298B28E8E45A5C3666D106CB4A8A733B71026F7C4945
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter aachum
Tags:7z AutoIT file-pumped LummaStealer pw-8100


Avatar
iamaachum
https://media.builsi.my/Adobe_Illustrator_2025_v29.4.0_%28x64%29_Pre-Cracked.zip?c=AIYO92cvYwUA_YUCAEVTFwAMAAAAAACz => https://arch.builsi.my/request/media/XGfOMkviK9umApNFE4oQ1iSK/Adobe_Illustrator_2025_v29.4.0_(x64)_Pre-Cracked.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
ES ES
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:adobe_illustrator_2025_v29.4.0_(x64)_pre-cracked.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:821'194'731 bytes
SHA256 hash: 28c4d2e60ae333b7e1317cfeb193c8a64bde99fb969362c0c4c9be11cc7d44e7
MD5 hash: f7b1e95918f98025bcb16d18a0bfcf88
De-pumped file size:122'368 bytes (Vs. original size of 821'194'731 bytes)
De-pumped SHA256 hash: c60db8f38077d533378018b648509520cc5d72997fcd052a5c0e748755679e5f
De-pumped MD5 hash: 7de533cf905167fdc91a78cf3974fe7b
MIME type:application/x-dosexec
Signature LummaStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f75ffff9ba909217ce914f
Tags:
autoit emotet
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/18e23bf0753989e7fd50f30fb6b2efebd5ff22fb5b510bfef6a676aca40cef65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18e23bf0753989e7fd50f30fb6b2efebd5ff22fb5b510bfef6a676aca40cef65/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddrdx4dvhge6p7kq6mh3nmxp5pk76ix3lniqx7xwuz3kzjam55sq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250410-gftz7ssnz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://-tiltvc.digital/kepo
https://soursopsf.run/gsoiao
https://4changeaie.top/geps
https://1easyupgw.live/eosz
https://liftally.top/xasj
https://upmodini.digital/gokk
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://xcelmodo.run/nahd
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

7z 18e23bf0753989e7fd50f30fb6b2efebd5ff22fb5b510bfef6a676aca40cef65

(this sample)

Executable exe c60db8f38077d533378018b648509520cc5d72997fcd052a5c0e748755679e5f

  
Link
https://tria.ge/250410-anmsjawxhy/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 c60db8f38077d533378018b648509520cc5d72997fcd052a5c0e748755679e5f
  
Dropping
MD5 7de533cf905167fdc91a78cf3974fe7b
  
Dropping
SHA256 faed5d57ba4b532b3d66330c213c7978f6082c2a6e571e253a1d8ae864b41845
  
Dropping
MD5 2326d11616da300f18ed260329ec0666

Comments